super-productivity/.github/workflows/e2e-scheduled.yml
Johannes Millan 10a47888a6
feat(sync): offer E2EE before first upload for file-based providers (#8709)
* feat(sync): offer E2EE at setup for file-based providers

File-based providers (WebDAV, Nextcloud, Dropbox, OneDrive, local file)
support optional client-side encryption but, unlike SuperSync, have no
mandatory-encryption upload guard — so their first setup sync would ship
plaintext before a user could enable E2EE.

Offer to set an encryption password during first-time setup and persist it
as part of the SAME config save: the key goes to the provider's privateCfg
and isEncryptionEnabled to the global config, atomically with isEnabled.
The normal first sync then encrypts from the first op via the standard
download-first flow — no separate snapshot-overwrite and no plaintext-upload
race. Skipping keeps the existing unencrypted behavior; works offline too.

Reuses DialogEnableEncryptionComponent in a new side-effect-free
collectPasswordOnly mode (returns the password, writes nothing), with a
provider-aware Skip action for the disableClose setup modal.

* test(sync): skip file-based setup encryption prompt in webdav e2e helper

Fresh file-based setup now opens the optional "Encrypt before first upload?"
dialog before the config is persisted, so setupWebdavSync would stall on the
disableClose modal. Dismiss it via a new Skip selector so every WebDAV spec
proceeds unencrypted, exactly as before; encryption specs still enable it
afterwards via enableEncryption().

* test(sync): add e2e for file-based setup-time encryption

Adds a @webdav @encryption spec that configures WebDAV with the encryption
password set in the setup dialog, then asserts the first upload's remote
sync-data.json does NOT contain the task title in plaintext (compression is
off by default, so a plaintext upload would) — proving the first sync is
encrypted — and that a second client with the same password decrypts and
receives the task without overwriting the remote.

setupWebdavSync gains an encryptAtSetup option (fills the new dialog instead
of skipping it); adds e2e selectors on the setup dialog password/confirm/
submit controls.

* ci(e2e): allow targeting the webdav job via workflow_dispatch grep

The webdav e2e job hardcoded --grep "@webdav"; add a webdav_grep dispatch
input (default @webdav, mirroring the supersync job) so a specific WebDAV
test can be run on demand.

* test(sync): fix remote sync-file path in setup-encryption e2e

Non-production builds nest the file under a /DEV segment
(sync-providers.factory.ts). The raw-fetch assertion omitted it and 404'd;
the CI trace confirmed the app uploaded to <folder>/DEV/sync-data.json and
that the first upload was encrypted.

* test(sync): cover joining an unencrypted remote with setup-time encryption

Adds the data-safety edge case for file-based setup-time E2EE: a client that
sets a password at setup while joining a remote that already holds UNENCRYPTED
data. Asserts the join reads and preserves the existing data (does not overwrite
the remote with the joining client's empty state) and that a subsequent write
upgrades the remote to encrypted (no plaintext titles remain).
2026-07-02 17:17:01 +02:00

264 lines
8.4 KiB
YAML

name: 'E2E Tests (Scheduled)'
on:
schedule:
- cron: '0 2 * * *' # 2 AM UTC daily
workflow_dispatch:
inputs:
grep:
description: 'Playwright --grep filter for the SuperSync job (default: @supersync)'
required: false
type: string
default: '@supersync'
webdav_grep:
description: 'Playwright --grep filter for the WebDAV job (default: @webdav)'
required: false
type: string
default: '@webdav'
push:
branches: [master, release/*]
paths:
- 'src/app/imex/sync/**'
- 'src/app/op-log/**'
- 'e2e/tests/**'
- 'docker-compose.yaml'
- 'docker-compose.supersync.yaml'
- 'packages/sync-core/**'
- 'packages/super-sync-server/**'
- 'packages/shared-schema/**'
permissions:
contents: read
jobs:
# Job 0: Build frontend once and share artifact
build:
name: Build Frontend
runs-on: ubuntu-latest
timeout-minutes: 15
env:
UNSPLASH_KEY: ${{ secrets.UNSPLASH_KEY }}
UNSPLASH_CLIENT_ID: ${{ secrets.UNSPLASH_CLIENT_ID }}
steps:
- name: Check out Git repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
with:
persist-credentials: false
- name: Setup E2E Environment
uses: ./.github/actions/setup-e2e
- run: npm run env
- name: Build Frontend for E2E
run: npm run buildFrontend:e2e
- name: Verify Build Output
run: |
test -f .tmp/angular-dist/browser/index.html || (echo "Build output missing" && exit 1)
test -f .tmp/angular-dist/browser/assets/bundled-plugins/api-test-plugin/manifest.json || (echo "Plugin assets missing from build" && exit 1)
- name: Upload Build Artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: e2e-build-${{ github.run_id }}
path: .tmp/angular-dist
retention-days: 1
# Job 1: Regular E2E tests (excludes WebDAV and SuperSync)
e2e-regular:
name: E2E Tests (Regular)
needs: [build]
runs-on: ubuntu-latest
timeout-minutes: 60
env:
UNSPLASH_KEY: ${{ secrets.UNSPLASH_KEY }}
UNSPLASH_CLIENT_ID: ${{ secrets.UNSPLASH_CLIENT_ID }}
steps:
- name: Check out Git repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
with:
persist-credentials: false
- name: Setup E2E Environment
uses: ./.github/actions/setup-e2e
- name: Download Build Artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v4
with:
name: e2e-build-${{ github.run_id }}
path: .tmp/angular-dist
- name: Run Regular E2E Tests
run: npm run e2e:ci
- name: Upload E2E Results on Failure
if: ${{ failure() }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: e2e-results-regular-${{ github.run_id }}
path: .tmp/e2e-test-results/**/*.*
retention-days: 30
# Job 2: WebDAV E2E tests
e2e-webdav:
name: E2E Tests (WebDAV)
needs: [build]
runs-on: ubuntu-latest
timeout-minutes: 30
env:
UNSPLASH_KEY: ${{ secrets.UNSPLASH_KEY }}
UNSPLASH_CLIENT_ID: ${{ secrets.UNSPLASH_CLIENT_ID }}
steps:
- name: Check out Git repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
with:
persist-credentials: false
- name: Setup E2E Environment
uses: ./.github/actions/setup-e2e
- name: Download Build Artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v4
with:
name: e2e-build-${{ github.run_id }}
path: .tmp/angular-dist
- name: Create .env file for Docker Compose
run: |
cp .env.example .env
- name: Start WebDAV Docker Service
# Retry to survive transient Docker Hub pull timeouts / rate limits
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
with:
timeout_minutes: 6
max_attempts: 3
retry_wait_seconds: 20
command: |
docker compose up -d webdav
chmod +x ./scripts/wait-for-webdav.sh
./scripts/wait-for-webdav.sh
- name: Run WebDAV E2E Tests
env:
E2E_REQUIRE_WEBDAV: 'true'
run: npm run e2e:all -- --grep "${{ inputs.webdav_grep || '@webdav' }}"
- name: Stop Docker Services
if: always()
run: |
docker compose down
- name: Print Docker Logs on Failure
if: ${{ failure() }}
run: |
echo "=== WebDAV Logs ==="
docker compose logs webdav
- name: Upload E2E Results on Failure
if: ${{ failure() }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: e2e-results-webdav-${{ github.run_id }}
path: .tmp/e2e-test-results/**/*.*
retention-days: 30
# Job 3: SuperSync E2E tests (sharded)
e2e-supersync:
name: E2E Tests (SuperSync ${{ matrix.shard }}/6)
needs: [build]
runs-on: ubuntu-latest
timeout-minutes: 40
strategy:
fail-fast: false
matrix:
shard: [1, 2, 3, 4, 5, 6]
env:
UNSPLASH_KEY: ${{ secrets.UNSPLASH_KEY }}
UNSPLASH_CLIENT_ID: ${{ secrets.UNSPLASH_CLIENT_ID }}
steps:
- name: Check out Git repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
with:
persist-credentials: false
- name: Setup E2E Environment
uses: ./.github/actions/setup-e2e
- name: Download Build Artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v4
with:
name: e2e-build-${{ github.run_id }}
path: .tmp/angular-dist
- name: Create .env file for Docker Compose
run: |
cp .env.example .env
- name: Start SuperSync Docker Service
# Retry to survive transient Docker Hub pull timeouts / rate limits;
# timeout_minutes also bounds the otherwise-unbounded health-wait loop
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
with:
timeout_minutes: 12
max_attempts: 3
retry_wait_seconds: 20
command: |
docker compose -f docker-compose.yaml -f docker-compose.supersync.yaml up -d --build supersync
echo "⏳ Waiting for SuperSync server..."
until curl -s http://localhost:1901/health > /dev/null 2>&1; do sleep 1; done
echo "✓ SuperSync server ready!"
- name: Run SuperSync E2E Tests
env:
E2E_REQUIRE_SUPERSYNC: 'true'
run: npm run e2e:all -- --grep "${{ inputs.grep || '@supersync' }}" --shard=${{ matrix.shard }}/6
- name: Stop Docker Services
if: always()
run: |
docker compose -f docker-compose.yaml -f docker-compose.supersync.yaml down supersync
- name: Print Docker Logs on Failure
if: ${{ failure() }}
run: |
echo "=== SuperSync Logs ==="
docker compose -f docker-compose.yaml -f docker-compose.supersync.yaml logs supersync
- name: Upload E2E Results on Failure
if: ${{ failure() }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: e2e-results-supersync-${{ matrix.shard }}-${{ github.run_id }}
path: .tmp/e2e-test-results/**/*.*
retention-days: 30
# Job 4: SuperSync Server Unit Tests (runs in parallel with build, no artifact needed)
supersync-server-tests:
name: SuperSync Server Unit Tests
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Check out Git repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
with:
persist-credentials: false
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: 22
cache: 'npm'
- name: Reconfigure git to use HTTP authentication
run: >
git config --global url."https://github.com/".insteadOf
ssh://git@github.com/
- name: Install npm Packages
run: npm i
- name: Run SuperSync Server Tests
run: cd packages/super-sync-server && npm test